Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
46894
Views
5
Helpful
11
Replies

Asa 5505 inside network route to another network

Go to solution
ThomasMull9000
Level 1
Level 1

‎11-30-2011 12:31 AM - edited ‎03-04-2019 02:27 PM

Hello Guys.

i have cisco asa 5505 Security adaptive firewall. my inside network is 192.168.1.0 255.255.255.0 . i want to add static  route another network i have that network id is 192.168.2.0 . 255.255.255.0.

My 8 Ports de


Eth 0/0  ====== Outside              200.200.200.x

Eth0/1======= Inside                  192.168.1.1

Eh0/2=========OtherNetwork      192.168.2.1

so please how i can add the route

Thank You

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
JohnTylerPearce
Level 7
Level 7
In response to ThomasMull9000

‎11-30-2011 05:42 AM

Since your license supports only two vlans (I'm not that up-to-date about ASA licenses) you may not be able to add more than two vlans per the liscense but outside users can still get to more than 2 vlans on your internal network.

For Example:

---WAN Connection---> Outside Interface of ASA ----> (route statements) ----> Inside Interface

You can put the following route statement on the ASA.

route inside 192.168.2.0 255.255.255.0 192.168.1.1

When the ASA gets a packet with destination IP address of 192.168.2.x/24 it will go to the next hop of 192.168.1.1.

It will then send an ARP out the appropriate subnet. Now you will have to have the vlan configuration on your switches

obviously to get this to work. Feel free to test it out and let us know how it goes.

View solution in original post

0 Helpful

Go to solution
ajay chauhan
Level 7
Level 7
In response to ThomasMull9000

‎11-30-2011 06:08 AM

What is your topology ? Where network 192.168.2.0/24 is configured on switch or router ?

Putting by router and swicthes conncted to Inside zone you can extended your network and then only this route route inside 192.168.2.0 255.255.255.0 192.168.1.1 will work .

Thanks

Ajay

View solution in original post

0 Helpful
11 Replies 11

Go to solution
JohnTylerPearce
Level 7
Level 7

‎11-30-2011 02:54 AM

You could do route inside 192.168.2.0 255.255.255.0 192.168.2.1

When they ASA gets a packet with destination for 192.168.2.0/24, it should send an ARP down that interface to a switch, which should have VLAN information, so it can get to the correct destination.

0 Helpful

Go to solution
ThomasMull9000
Level 1
Level 1
In response to JohnTylerPearce

‎11-30-2011 05:33 AM

Here i have only two Vlan's inside

Vlan 1 = Eth0/0   -- outside interface   200.200.200.x

Vlan 2- Eth0/1 .        inside Interface  192.168.1.1

Eth0/1

Eth0/2    ------- other networ

Eth0/3

Eth0/4

Eth0/5

Eth0/6

Eth0/7

My license supports only 2 vlans. so how it's possible to root other network that different my VLAN Ip addres

Thank johnTyler Pearce

0 Helpful

Go to solution
JohnTylerPearce
Level 7
Level 7
In response to ThomasMull9000

‎11-30-2011 05:42 AM

Since your license supports only two vlans (I'm not that up-to-date about ASA licenses) you may not be able to add more than two vlans per the liscense but outside users can still get to more than 2 vlans on your internal network.

For Example:

---WAN Connection---> Outside Interface of ASA ----> (route statements) ----> Inside Interface

You can put the following route statement on the ASA.

route inside 192.168.2.0 255.255.255.0 192.168.1.1

When the ASA gets a packet with destination IP address of 192.168.2.x/24 it will go to the next hop of 192.168.1.1.

It will then send an ARP out the appropriate subnet. Now you will have to have the vlan configuration on your switches

obviously to get this to work. Feel free to test it out and let us know how it goes.

0 Helpful

Go to solution
ThomasMull9000
Level 1
Level 1
In response to JohnTylerPearce

‎11-30-2011 05:55 AM

i added the  route inside 192.168.2.0 255.255.255.0 192.168.1.1,  but still i can't reach the other network of 192.168.2.0


0 Helpful

Go to solution
ajay chauhan
Level 7
Level 7
In response to ThomasMull9000

‎11-30-2011 06:08 AM

What is your topology ? Where network 192.168.2.0/24 is configured on switch or router ?

Putting by router and swicthes conncted to Inside zone you can extended your network and then only this route route inside 192.168.2.0 255.255.255.0 192.168.1.1 will work .

Thanks

Ajay

0 Helpful

Go to solution
JohnTylerPearce
Level 7
Level 7
In response to ajay chauhan

‎11-30-2011 06:11 AM

Beat me to it ajay. I was going to ask where the 192.168.2.0/24 was configured.

0 Helpful

Go to solution
ThomasMull9000
Level 1
Level 1
In response to ajay chauhan

‎11-30-2011 06:57 AM

Yes it works thank you guys.. this is why i love cisco .great support

0 Helpful

Go to solution
lakdawala
Level 1
Level 1
In response to ThomasMull9000

‎04-23-2019 09:07 AM

route inside 192.168.2.0 255.255.255.0 192.168.1.1 - This will not work as 192.168.1.1 is IP of interface on ASA.  You will need a next hop IP address (such as router or L3 IP configured on core switch, etc.)

0 Helpful

Go to solution
ugot2nome
Level 1
Level 1

‎11-30-2011 06:17 AM

For the Base license, allow this interface to be the third VLAN by limiting it from initiating contact to one other VLAN using the following command:

hostname(config-if)# no forward interface vlan number

Where number specifies the VLAN ID to which this VLAN interface cannot initiate traffic.

With the Base license, you can only configure a third VLAN if you use this command to limit it.

For example, you have one VLAN assigned to the outside for Internet access, one VLAN assigned to an inside business network, and a third VLAN assigned to your home network. The home network does not need to access the business network, so you can use the no forward interface command on the home VLAN; the business network can access the home network, but the home network cannot access the business network.

If you already have two VLAN interfaces configured with a nameif command, be sure to enter the no forward interface command before the nameifcommand on the third interface; the adaptive security appliance does not allow three fully functioning VLAN interfaces with the Base license on the ASA 5505 adaptive security appliance.

Note If you upgrade to the Security Plus license, you can remove this command and achieve full functionality for this interface. If you leave this command in place, this interface continues to be limited even after upgrading.

URL: http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/int5505.html#wp1056883

Thanks,
Brian

Go to solution
elguen.hasanov
Level 1
Level 1
In response to ugot2nome

‎07-16-2012 02:04 PM

Hi all.

I have some problem with my cisco asa 8.2. I no need Vlan connection configuration. I have to know how shoud i connect 2 inside interfaces. I am writing what i have.

I have 5 network connection on Cisco ASA.

1. Interface Ethernet 0/0 - outside 200.200.200.200 255.255.255.240

2. Interface Ethernet 0/1 - 1_firm 10.0.1.1 255.255.255.0

3. Interface Ethernet 0/2 - 2_firm 192.168.1.1 255.255.255.0

4. Interface Ethernet 0/3 - DMZ-Server 10.10.10.1 255.255.255.0 (Just one Server)

5. Management -  no need

I have to connect Interface (1_firm) with Interface (2_firm). I've tried "route 1_firm 192.168.1.0 255.255.255.0 10.0.1.1" ,

but i resiving following error "Cannot add route,connected route exists".

But i have no route configuration. What i have cheking? Or maked i some wrong?

Thanks for your help.     

0 Helpful

Go to solution
petehaaswws
Level 1
Level 1
In response to elguen.hasanov

‎05-30-2018 01:55 PM

It seems like the ASA is trying to explain (especially through packet tracer) the destination IP address is not available based in the ARP cache.

 

If the destination IP address were learnt via ARP then this will likely resolve your issue.

 

Just confirm the connected route actually exists via 'show route' in case this is not available either.

 

Obviously there is no reason to add a static route if the same route is already present as a connected route.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card